I'm going to implement an Access Control List for each individual user so they can assign access to their own resources so they can hide stuff, for example, from their mothers, but show their friends.

Now storing ACL in a database seems like it can get pretty insane when each user is also a group, which can have many sub groups. So I'm thinking of storing the ACL stuff in a text file.

Good Idea? Bad Idea?

EDIT: I should note, I'm talking about an individual text file for each user. I'm thinking of creating an ACL class which I could serialize and write to the text file. My fear is that storing the ACL in a database would create insanely huge join tables and put a significant strain on the database server.

Concurrency will bite you. As will complexity and decreased performance as the file gets larger. As will the increased risk of corruption of something happens during writing of the file like power loss of system crashes.

A database will generally shield you from these issues and leave you to concentrate on the logic

You can implement hierarchical storage in a database using self joins e.g